Identify expired certificates in a chain

If an intermediate or root cert is expired, the UI makes it look like
the problem is that the leaf cert is not yet valid. This CL fixes that
by adding a generic error message for expired intermediate/root certs.

BUG=398910
R=rsleevi@chromium.org

Review URL: https://codereview.chromium.org/483143002

Cr-Commit-Position: refs/heads/master@{#290483}
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@290483 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 18 insertions, 4 deletions

diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index 5aeeaa3e..bd3db4d 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -2512,6 +2512,13 @@ Even if you have downloaded files from this website before, the website might ha
         Server's certificate is not yet valid.
       </message>
 
+      <message name="IDS_CERT_ERROR_CHAIN_EXPIRED_DETAILS" desc="Details for an expired root or intermediate cert in chain">
+        This server could not prove that it is <ph name="DOMAIN">&lt;strong&gt;$1<ex>paypal.com</ex>&lt;/strong&gt;</ph>; its security certificate expired. This may be caused by a misconfiguration or an attacker intercepting your connection. Your computer's clock is currently set to <ph name="CURRENT_TIME">$3<ex>July 18, 2012</ex></ph>. Does that look right? If not, you should correct your system's clock and then refresh this page.
+      </message>
+      <message name="IDS_CERT_ERROR_CHAIN_EXPIRED_DESCRIPTION" desc="Description for an expired intermediate/root certificate in chain">
+        A root or intermediate certificate has expired.
+      </message>
+
       <message name="IDS_CERT_ERROR_AUTHORITY_INVALID_DESCRIPTION" desc="Description for an X509 certificate with an invalid authority">
         Server's certificate is not trusted.
       </message>
diff --git a/chrome/browser/ssl/ssl_error_info.cc b/chrome/browser/ssl/ssl_error_info.cc
index 573784e..e21d8f2 100644
--- a/chrome/browser/ssl/ssl_error_info.cc
+++ b/chrome/browser/ssl/ssl_error_info.cc
@@ -67,10 +67,7 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type,
             base::TimeFormatFriendlyDate(base::Time::Now()));
         short_description =
             l10n_util::GetStringUTF16(IDS_CERT_ERROR_EXPIRED_DESCRIPTION);
-      } else {
-        // Then it must be not yet valid.  We don't check that it is not yet
-        // valid as there is still a very unlikely chance that the cert might
-        // have become valid since the error occurred.
+      } else if (base::Time::Now() < cert->valid_start()) {
         details = l10n_util::GetStringFUTF16(
             IDS_CERT_ERROR_NOT_YET_VALID_DETAILS,
             UTF8ToUTF16(request_url.host()),
@@ -78,6 +75,16 @@ SSLErrorInfo SSLErrorInfo::CreateError(ErrorType error_type,
                 (cert->valid_start() - base::Time::Now()).InDays()));
         short_description =
             l10n_util::GetStringUTF16(IDS_CERT_ERROR_NOT_YET_VALID_DESCRIPTION);
+      } else {
+        // Two possibilities: (1) an intermediate or root certificate has
+        // expired, or (2) the certificate has become valid since the error
+        // occurred. Since (1) is more likely, assume that's the case.
+        details = l10n_util::GetStringFUTF16(
+            IDS_CERT_ERROR_CHAIN_EXPIRED_DETAILS,
+            UTF8ToUTF16(request_url.host()),
+            base::TimeFormatFriendlyDate(base::Time::Now()));
+        short_description =
+            l10n_util::GetStringUTF16(IDS_CERT_ERROR_CHAIN_EXPIRED_DESCRIPTION);
       }
       break;
     case CERT_AUTHORITY_INVALID: